Lesson 1 — What is Microsoft Sentinel?
Welcome to the first lesson in the Agent Foskett Microsoft Sentinel Academy.
In this lesson, we begin with the problem Sentinel is designed to solve:
too much security data, too many disconnected systems, and not enough clear investigation context.
Microsoft Sentinel helps security teams collect signals, detect suspicious activity, create incidents,
investigate evidence and automate response across Microsoft and non-Microsoft environments.
What you will learn
This lesson explains Sentinel in plain English before we start configuring connectors, rules, incidents and automation.
Learning objectives
After completing this lesson, you should be able to explain Microsoft Sentinel at a practical SOC level.
- Describe what Microsoft Sentinel is.
- Explain the difference between SIEM and SOAR.
- Understand why organisations use Sentinel.
- Explain how Sentinel works with Microsoft Defender XDR.
- Identify the core Sentinel components used in later lessons.
The security problem
Most organisations do not have a shortage of logs. They have logs everywhere: Microsoft 365, Azure, endpoints, firewalls, VPNs, identity systems, servers, cloud platforms and third-party applications.
The real problem is turning all of that telemetry into useful detection, investigation and response.
What is Microsoft Sentinel?
Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform. It collects security data from many systems, analyses that data for suspicious activity, creates incidents for analysts, supports threat hunting with KQL, and can automate response actions using playbooks.
Think of Sentinel as the place where separate security signals become an investigation. Defender might detect a phishing email, Entra ID might show a risky sign-in, and a firewall might show unusual traffic. Sentinel helps bring those signals into one operational story.
What is a SIEM?
A SIEM, or Security Information and Event Management platform, collects logs from multiple systems, stores them centrally, analyses them, and helps security teams investigate threats.
What is SOAR?
SOAR means Security Orchestration, Automation and Response. This is the part of Sentinel that helps a SOC automate repeatable actions and standardise response workflows.
- Notify analysts when important incidents are created.
- Enrich incidents with extra context.
- Create tickets or send Teams messages.
- Trigger Logic Apps playbooks.
- Support repeatable response actions.
How Sentinel fits into Microsoft Security
Sentinel does not replace Microsoft Defender XDR. It extends the investigation view. Defender XDR is excellent at protecting Microsoft workloads and correlating Microsoft security signals. Sentinel can bring Microsoft and non-Microsoft data together into a broader SIEM and SOAR workflow.
Sentinel vs Microsoft Defender XDR
This is one of the most important concepts for beginners. Sentinel and Defender XDR work together, but they are not the same thing.
| Microsoft Defender XDR | Microsoft Sentinel |
|---|---|
| Protects and correlates Microsoft security workloads such as endpoint, identity, email and cloud apps. | Collects and correlates Microsoft and third-party security data across the wider environment. |
| Raises alerts and incidents from Microsoft Defender products. | Creates SIEM incidents using analytics rules, connectors, automation and cross-platform telemetry. |
| Best for Microsoft XDR investigation and response. | Best for enterprise SIEM, SOAR, threat hunting, dashboards and wider SOC operations. |
Real-world example
Defender XDR detects a phishing email. That is useful, but it may not tell the whole story. Sentinel can help correlate additional signals such as risky sign-ins, VPN activity, firewall logs, endpoint events and threat intelligence matches.
Instead of five separate clues, the analyst gets one clearer incident path.
Common beginner mistake
A common mistake is thinking Sentinel is just another alert portal. It is better to think of it as a security operations platform.
The goal is not simply to collect more alerts. The goal is to build better detection logic, reduce noise, investigate faster and respond consistently.
Key Sentinel components
| Component | What it does | Where we cover it |
|---|---|---|
| Log Analytics Workspace | Stores the data Sentinel queries and analyses. | Lesson 3 |
| Data Connectors | Bring Microsoft and third-party telemetry into Sentinel. | Lesson 4 |
| Incidents | Group alerts and evidence for analyst investigation. | Lesson 5 |
| Analytics Rules | Turn KQL and detection logic into alerts and incidents. | Lesson 6 |
| Workbooks | Create dashboards and operational views. | Later lesson |
| Playbooks | Automate response actions using Logic Apps. | Later lesson |
| Hunting | Use KQL to proactively search for suspicious activity. | Later lesson |
Related Agent Foskett learning
Microsoft Sentinel Academy progress
What is Microsoft Sentinel?
Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform for security operations, threat detection, incident investigation, KQL hunting, analytics rules, automation and response.
Microsoft Sentinel Lesson 1
This Agent Foskett Microsoft Sentinel Academy lesson explains SIEM, SOAR, Microsoft Defender XDR integration, Log Analytics, data connectors, incidents, analytics rules and SOC workflows.
